Identity privacy

If a priori information is available about a wireless user, such as a model for commu- nication or motion, the identity can be derived by correlating the K separated center components with the available models.

In this chapter, we apply blind source separation algorithm to degrade a number of anonymity measures in networks. The proposed attack methods can apply to not only wireless ad-hoc networks but also infrastructure-based wireless network since the methods do not make use of any information of base stations. Generally, our algorithm can be used to locate objects in a field by using signals from different type of sensors. For example, acoustic sensors can used to locate snipers in a field. More

300 400 500 600 700 800 900 1000 1100 1200 1300 300 400 500 600 700 800 900 1000 1100 1200 1300 Wireless Node Estimated Location

(a) Intensity Image IMGk (b) Edge Detection

Fig. 48. Sender/Receiver/Route Anonymity Attack

generally, the algorithm can be used to analyze any observed mixture data that are linear combinations of the underlying signals.

I. Summary

In this chapter, we focus on a number of anonymity issues in wireless networks. We propose algorithms for the estimation of node density and of node location. The approach is based on principal component analysis for the estimation of nodes in the network (density estimation) and on independent component analysis (blind source separation) for the de-aggregation of the presumably fully anonymized packet trace information. Our experiments show that the attacks are very effective. Two new metrics to evaluate location privacy attack are proposed. They can capture accuracy and precision of the location privacy algorithm and differentiate different shapes of estimated areas. We applied our location privacy attack algorithm to different node arrangements. The result of location privacy attacks can be used to attack traditional sender/receiver anonymity and motion privacy as well.

The fact that the proposed schemes require from the sensors only the capability to receive and count 802.11 packets indicates that one should be able to deploy similar

schemes on nodes in ad-hoc networks, for example, for intrusion detection purposes: The ad-hoc nodes could easily collect the data necessary to identify active intruders and to pin-point their location.

CHAPTER VII

ENGINEERING OF ANONYMITY NETWORKS A. Motivation

Researchers proposed various definitions to quantify anonymity, such as anonymity set size [36], effective anonymity set size [5] and entropy-based anonymity degree [4]. While the metrics led to an increasingly better understanding of anonymity, they tend to focus on the anonymity of a single message under a single anonymity attack. In practice however, metrics are needed that take into account realities of today’s use of networks. a.) Communication settings in real systems range from single messages, to message groups, to streams and FTP transfers. b.) Sophisticated attacks can resort to a variety of techniques to break anonymity: flow correlation attacks, intersection attacks [99], trickle attacks [12], and so on.

A measure for the anonymity degree should satisfy a number of requirements: First, the anonymity degree should capture the quality of an anonymity system. It has been shown for example that information theoretical means, such as entropy, are more accurate for comparing anonymity systems than, say, anonymity sets. Second, the anonymity degree should take into account the topology of the network or that of any overlay defined by the anonymity system. The topology influences how much information can be gathered by an attacker, and thus has an impact on the system anonymity degree. For example, a system of fully-connected nodes will have a different anonymity degree from a chain of nodes. Third, the anonymity degree, as measure of the effectiveness of the anonymity system. While a large number of users clearly contributes anonymity, this not necessary reflects on the quality of the anonymity system. should be independent of the number of users. Finally, the anonymity

measure must be independent of the threat model, as attackers may use a variety of attack techniques, or combinations thereof, to break the anonymity.

Since the goal of anonymity attacks is to infer the communication relations in a system despite countermeasures, it is natural to model such attacks as covert chan- nels. Increased interest has focused on the interdependence of anonymity and covert channels [40, 100]. The imperfectness of an anonymity system will result in the in- formation leaking from the system. This information leakage can be evaluated in form of a covert channel. The designer of an anonymity system generally faces the question of how much information may leak from the anonymity network given the unavoidable imperfectness of the anonymity network and how this may affect the anonymity degree. The imperfectness of an anonymity system will result in the infor- mation leaking from the system. This information leakage can be evaluated in form of a covert channel.

The work presented in this chapter takes a system-level view of covert channels and anonymity, and differs from previous work, such as [38, 39, 40], in two ways: First, we assume that the existence of various sources of information leakage in the elements (mixes, batchers, padders, · · ·) of an anonymity system are a reality that system designers and operators have to deal with. Some of the resulting covert channels can be identified and either measured or analyzed using techniques described in [38, 39]1 In addition, any cautious anonymity system designer or operator must assume that even mixes presumed to be perfect are not so, even if the particular weakness is not know a priori. In this chapter, we use covert channel capacity as a generic measure to model weaknesses (known or unknown) in the anonymity system infrastructure. This gives a tool for designers or operators to uniformly describe both known weaknesses

(i.e. results of attacks), or merely suspected ones, and to analyze their effect on the anonymity provided by the system. Second, the anonymity degree of the mix network is a result of system-level effects: changes in the user population or application mix affect the anonymity provided. So do topology of the anonymity system and routing preferences within the system. As a result, there is no one-to-one mapping from the anonymity degree to covert channel capacities of elements in a mix network and vice versa. In this chapter, we investigate the relationship between anonymity degree and covert channel capacity in terms of what effect one has on the other.